Password Guru admits he had it wrong

14 years ago Bill Burr became the guru of passwords. His advice was to do away with memorable words in favour of garbled strings of letters, numbers and special characters that would be near-impossible for criminals to guess. This was and still is accepted as gospel around the world. He now acknowledges that the information he published in 2003 only makes people more vulnerable to hackers.

The trouble, according to security researchers, is that in reality the recommendation caused many people to adopt highly predictable “complex” passwords, such as “Padollars dollars w0rd”, to try to remember them. Mr Burr also suggested that people should change their passwords at least every 90 days. This advice, which was adopted by corporations, universities and government bodies, gave individuals grappling with ever-growing numbers of passwords an even greater incentive to adopt easy combinations.

Many people have come to “update” their passwords by making the simplest tweaks. “Pa55w0rd1” becomes “Pa55w0rd2”, “Pa55w0rd3” and then “Pa55w0rd4”, for example.

Because of the stress surrounding complex passwords, people also tend to use the same or similar credentials on different sites. This means that if log-in details are stolen in a data breach, such as the Yahoo hack, criminals can use the same password to access a victim’s accounts on other sites. What we have now is a global password etiquette of requiring at least a capital, symbol and number to be included, but is this necessary?

To counter these problems, cryptography experts have highlighted the merits of long, “simple” passwords, made of up of strings of ordinary words. In a widely circulated diagram, the NASA engineer turned cartoonist and author Randall Munroe calculated that it would take 550 years at 1,000 guesses per second to crack the password “correcthorsebatterystaple”, while “Tr0ub4dor&3” could be cracked in three days.

Mr Burr, 72, who is now retired, told The Wall Street Journal: “Much of what I did I now regret. In the end, it was probably too complicated for a lot of folks to understand, and the truth is, it was barking up the wrong tree.”

Ciaran Martin, head of Government Communications Headquarters’ (GCHQ), National Cyber Security Centre, has also criticised the standard advice for passwords. In February he told BBC Radio 4’s Today program that even his own “best technical people” would struggle to remember complex, changing log-ins for multiple accounts.

Mr Burr, who programmed US Army computers during the Vietnam War, told The Wall Street Journal that he had wanted to base his guidance on real-world password data, but too little was available in 2003 and he was under pressure to publish quickly.